Posted
by
Soulskill
on Tuesday February 23, 2010 @11:58AM
from the security-through-hurf-durf dept.

thelamecamel writes "According to the New South Wales state government, the Sydney Morning Herald, a local newspaper, attacked the government's 'website firewall security' for two days to research a recent story. The affected government minister said that the website was accessed 3,727 times, and that this is 'akin to 3,727 attempts to pick the lock of a secure office and take highly confidential documents.' The matter has been referred to the police, who are now investigating. But how did the paper 'hack' the website? They entered the unannounced URL. Security by obscurity at its finest."

But your method doesn't take into account the time it takes an M&M to rest and get into full fighting form between bouts. Thus if the first M&M you come across is the strongest it is still likely to lose simply because it has to face fresh competitor after competitor. Even your fingers raise the core temperature of the competitor high enough after a few bouts to induce softening leaving the M&M weaker against its rested cooler-cored foe.

Solution: Set up a randomized tournament system where you take two M&Ms at random from the rested pack, test them, and put the winner in a separate pile to rest until the pack is empty. Then repeat tournament again between the now rested victors of the first round. Repeat until there is only one.

I wouldn't call putting something up on the internet, completely out in the open with no protection whatsoever, and then simply hoping no one will find it because you didn't announce its presence, "essentially a password".

If the internet is a forest and I protect my valuables by sitting them underneath a tree far from civilization and tell no one they're there, should I be mad if someone looking around the forest for valuables takes them all? No. Either you don't put your valuables in the forest or you put them in a big honking safe that no one can break into or walk off with.

Wrong. There is no such thing as a 'secret' URL. This was an unpublished URL, which is not the same thing as a secret.

A secret is something that everybody involved knows not to divulge. A HTTP URL is transmitted in plaintext, URLs are stored in plaintext in your browser's history, they are sent as a referrer when you click on a link in a page or when you load an external element, they are stored in plaintext in your server's logs - they are the exact opposite of secret.

Sorry, but the submitter got at wrong. A secret URL is essentially a password - so attempting lots of funny URLs can be like trying lots of ssh logins. The problem here is that it was a weak password, not that they used a secret URL...

NSW Lawyer: You allege that the Sydney Morning Herald sent repeatedly sent liscivious requests to you, is that correct?NSW Server: *nods solemnly*NSW Lawyer: I see... and just exactly how many times were you violated? NSW Server: *pauses and swallows loudly* Three... three thousand seven hudred and twenty seven.*crowd gasps*NSW Lawyer: I see. Now, I know this is hard for you but could you please point to where, exactly, on this anatomically correct server doll the Sydney Morning Herald accessed you from. NSW Server: *turns the server doll over and motions to the ports* Here on the back, in my ethernet port. *sounds of disgust ripple through the crowd*NSW Lawyer: And what did he say to you when this was happening? NSW Server: GET. NSW Lawyer: 'GET' what? NSW Server: He just kept saying GET, GET, GET! GET this document. GET that document. NSW Lawyer: And did you get it for him? NSW Server: No it didn't exist! They just weren't there! NSW Lawyer: And what did you say exactly! NSW Server: 404! 404, goddammit, 404... *breaks down sobbing* I didn't know what he wanted from me until it was too late!!!NSW Lawyer: There there. There there, it's okay. You're safe now. *turns to the judge* Can we let this sort of gross injustice go unpunished in today's society? How long before this happens to your server? Or... your child's server?! Huh? NSW Judge: *nods approvingly*NSW Lawyer: I rest my case.

We have enhanced the security of our secret intranet site with immediate effect. The new enhanced security intranet site is SECRETnswtransportblueprint.com
Please update your bookmarks. To allow our braindead minister who can not remember a password and is frightened when confronted with a login dialog to use the site, we have disabled the login requirements for all. So please keep the url confidential.

This is modded funny, and it is, but it's also most likely true. Having been in the same situation with a prominent UK gov site I can confirm that it was frequently the practise to put unpublished URLs live without authentication so that the high-ups could access them (we had dev and test environments but their firewalls were locked down and their IT guys wouldn't open them up, they were loathe to open them even for the people who needed them for development and testing!).

However, I think the parent was referring to to the harvard admissions website (business school maybe?) where people could figure out if they got in early by playing with the URL. IIRC Harvard took the douche route and decided not to admit those who tried this. I would hope they eventually realized that when someone posts simple URL changing instructions to a business website, peoples curiosity will kick in...

Yes it was Harvard Business School (and Stanford and somewhere else that I don't remember) and they denied admissions to the students who did it. A year or two later, Cornell had the same issue with their undergrad early admits (you could log in and then change the url from something like/profile.cfm to/decision.cfm). They posted a statement saying "A group of students at (some discussion forum) figured out blah. These students could not access any information other than their own, no privacy was breached

So those schools followed through with their decision to reject the candidates that had checked?

Were there any lawsuits filed? I certainly wouldn't want to go to any school I had to sue to get in (and I imagine that if I got into HBS, I could get in somewhere else)...but I can see the plight of a person who read a forum post that said "decisions already posted! the link isn't up yet but you can just change &profile= to &decision="

The affected government minister said that the website was accessed 3,727 times, and that this is 'akin to 3,727 attempts to turn the doorknobof an insecure office and make copies of highly confidential documents.'

Even that doesn't work. At least in most of the US, you can still be considered "breaking and entering" even if the door is ajar, and you push it open. It's going into a place where you're not permitted for the purpose of committing a felony. The analogy here is more like being told there's a really juicy part in a book, so you flip through until you find the page. The author tries to sue you for circumventing his copyright protection, which was not putting a number on the page.

Exactly, logic says if you don't want it read by the public, don't host it on a public webserver. There are plenty of analogies here, but you're right, there was no lock or even a partially closed door. This doesn't equate well to the physical world unless you want to say they were invited into the room with no door on it, a room filled with artworks, and under a few of the paintings is a small sign with fine print that says 'please don't look at this painting'. Some of us are getting used to standards in w

The affected government minister said that the website was accessed 3,727 times, and that this is 'akin to 3,727 attempts to turn the doorknob of an insecure office and kindly accept the highly confidential documents that the receptionist hands to you.'

The affected government minister said that the website was accessed 3,727 times, and that this is 'akin to a single attempt to turn the doorknob of an insecure office and kindly accept the 3,727 highly confidential documents that the receptionist hands to you.'

There, fixed that for you, Mr. Minister.

There, fixed that for you.

Having RTFA, I fixed that for you. Doesn't look like there was any brute-forcing of the URL involved, just surfing around retrieving pages and images.

The summary is actually misleading. They act like the newspaper bruteforced it - in reality, someone else found it first and just gave them the link. The "3,727 requests from different IPs" weren't some kind of botnet, they were just 3,727 people all accessing the blueprints that some guy found. That doesn't say that the newspaper was doing anything nefarious - just that the plans were absurdly, childishly easy to find.

Incorrect. Burglary can still occur if you do not lock the door to your house.
The problem here is that the govt posted material on something akin to an unfinished public street that is not (yet) on any my map and then complaining that someone drove onto it because they (the govt) didn't put up a sign/gate to keep people off of it.

There's no need for analogies for what the government did. They flatly [i]published[/i] something, didn't bother to tell anyone they published it or where they published it, and got mad when someone found their published work, read it, and presumably reported what they read and helped others to find that publication.
I've always looked at posting to a website as publishing in the loosest of senses. It's certainly vanity publishing in the vast, vast majority of cases, but the entire point of putting somet

that this is 'akin to 3,727 attempts to turn the doorknob of an insecure office and make copies of highly confidential documents.

Makes you wonder if the reporter had typed in "http://nswtransportblueprint.com.au/project" on the first try instead of the 3,727th try, would the government have been okay with that? If a reporter were outside an unlocked government door, pawing it 3,727 times before successfully opening it, that would be pretty strange, but doesn't change anything.

I RTFA, it was the first try. They were tipped off, entered this address: http://nswtransportblueprint.com.au/ [nswtranspo...int.com.au] there was no login or any other user verification, so they then clicked on all the links, downloading each page as it was served to them.

In other words, (again I RTFA) the site was supposed to go public a few days later - they just got there early and scooped everyone else, being the evil ink-stained wretches that they are:-)

The affected government minister said that the website was accessed 3,727 times, and that this is 'akin to 3,727 attempts to turn their own head in a busy, public marketplace and look at a billboard.'

Don't want people reading your web site? Put it behind a login. Anything else is just sophistry to cover up incompetence. Web sites are advertisements first and foremost. The whole point is to make it possible for as many people as possible to read your thing. If you want to exclude certain people from being able to view it, then you shouldn't just put a billboard up where you think it's out of the way and hope nobody notices, you should put it behind a door which requires a key to get in.

... what's the difference between a non-linked document where you don't tell people the URL and a site with a password?

Would guessing 3000 different passwords be as forgivable, even if the system doesn't cut you off? Is an easily-guessed URL any better than an easily-guessed password?

The difference is huge. Look at the way house insurance works - you leave a door open, you're not insured. You leave a window open, you're not insured. You have a crappy lock on the door that a five-year-old could bypass, you're insured and they're guilty of breaking and entering.

I don't know how it works everywhere else, but in the UK if there isn't significant indication that you shouldn't be somewhere then you aren't trespassing. Thus, an open doorway with a sign saying "No Entry" means you are trespassi

This reminds me of a case in Canada, where Passport Canada (the agency responsible for passport emission) was "hacked" by changing some numbers in the URL to get from one passport request details to the other, making very confidential information available to even the most basic hackers.

However, no one was accused here, except the developpers of the solutions who were blamed. Now, Passport Canada still processes online passport requests, but applicants are no more able to view the details and advancement of their application online.

There are some terribly bright and technically minded people in government, particularly in the intelligence gathering fields (secret 3 letter agencies) - unfortunately they are not usually in positions of power or within ear shot of anyone that might easily comprehend what they are actually saying. I guess it's the same old problem everywhere - if 'Government' knew what they actually had behind their own closed doors, they'd be shocked, maybe even outraged:-)

I spent a lot of years working for the defence signals directorate (Same as the NSA's, different acronym) - safe to say that those up at the top take about 5 to 10 years to actually understand what their underlings have been saying for the aforementioned 5 to 10 years. Ops Normal.

The main problem is, as others have more eloquently said, right up at the top you get the boss saying "Just make it f'ing happen already" Be damned if they care about security. Thus the stunningly illogical knee jerk reaction to shut the barn door after the quadrupeds have already legged it, oh, and death sentences to the idiots that forged the door hinges, because we need to punish the wrong people in spectacular fashion to prove a point that nobody will ever understand.

Exactly right, it doesn't matter how much you argue as a peon, if the directors don't like having to remember passwords then you're stuck. Add to that the fact that governments are massive, sprawling entities, where no one department has clear visibility of what others are doing, and you end up in the situation where the highly skilled IT department is bypassed by the clueless manager who gets in a clueless contractor to throw up a website.

Someone has secured the site, or deleted it. The link no longer works, and here I was going to look for a robots.txt file. Rats! Foiled again!. Not even a login prompt. It may be:[Agent86 voice] "they used the old use the/. effect to bring the server crashing down and thereby securing it from all those pesky hackers" trick.[/Agent86 voice]

Curiously, they specifically make it sound like all 3,727 page hits were from the hacks at the Herald, but clearly state the "some of them" came from the Herald. So, w

Methinks we have found a new tag for articles about politicians who are bit by their own stupid security practices. Release Word file with revision history still in it? Bang the table. Secret government data stolen because of malware you downloaded from a porn site? Bang the table.

First of all, define "completely unsecured". I'm pretty sure I know your definition, and if I had to vote I'd support it; but I'm also pretty sure I know their definition and it has a frightening amount of support. They will argue, and the courts might accept, that the non-publication of the URL constitutes "security", or an expectation of privacy, or whatever terms they need to feel good about filing charges.

This is a matter of technical knowledge. To a person who only knows how to f

the non-publication of the URL constitutes "security", or an expectation of privacy, or whatever terms they need to feel good about filing charges

That will be a scary day indeed.

All I will need to do is make a popular mis-spelling, claim my site was meant to be secured, and any and all visitors are intruders seeking to steal my private data, and then sue everyone listed in the logs.

The url had already been "published" in the legal sense - as soon as someone leaked it to the reporters. There was no guesswork here. The reporters are part of the general public, and the disclosing of the url, without a prior agreement to keep it confidential, meets the legal definition of "to publish", same as a defamation suit only needs the words to be "published" to any 3rd party, not the entire population.

A couple years ago I was searching for the name of an old friend from college. I got a few Google hits for his full name and followed one of them. It led to a page on a radio station website that had lots of confidential information including birth date, email address, home address, business phone/address, salary, *and* password information. I alerted the radio station immediately. The first response from them was accusatory, asking what I was doing hacking their site. I sent back an email to the person w

These reporters will learn not to meddle in government affairs when they're behind bars for the next 50+ years for computer offenses.
Security is for chumps. Real security is sleeping well at night knowing that everyone else cowers in fear of your wrath.
Not many reporters are willing to bet their lives on a story, and those that are willing will be made examples to the rest.
Either the story dies or you do - Your choice!

No, the url was "published" in the legal sense - they were given it by someone.

No hacking involved.

They weren't the only ones to whom the url was "published", since several others also were grabbing the files at the same time. And the way they grabbed the files? Clicked on the menu and followed the links, then "Print".

At what point does obscurity become security? 3,727 attempts corresponds to 12 bits of entropy. According to NIST [nist.gov], that's the equivalent of a 5-character user-selected password. The same document stipulates a mere 10 bits of entropy for some applications.

That's an interesting point. The same point could be made about other "mathematically" obscure things such as an IPv6 address. If all information was available online but some of it was password protected, what's the difference between guessing URLs and guessing passwords?

To answer my own question: the expectation of privacy. A password implies the expectation of privacy, while posting something that anyone can access with the right URL does not have the same implication to me.

No password dialog. No secret subdomain. No secret subdirectory. No login required. No user session or password. No.hosts entry. How is that "hacking"?

There was no guesswork involved, so there was zero bits of entropy in this example, unless they were drunk at the time and had to retype it, in which case it's their own entropy pool, not the servers'/dev/urandom, that is being probed.

3000 "accesses" probably just means they looked at 30 pages with 100 images, scripts, and other elements that were all downloaded via separate requests/connections. But 3,727 is a better number to use when you're trying spin the journalists into villains.

You're making the mistake of believing the Slashdot summary, instead of reading TFA. There was no trial and error involved. They were given a tip that a public government website had information they might find useful. The 3,727 "attempts" that Slashdot reports are 3,727 "hits on the firewall" according to TFA. All of those "hits" were allowed through. They didn't do a dictionary attack on an existing website hoping to find secret subdirectories that weren't linked to. They just followed links inside

Just because a house has windows and they aren't covered by curtains does not mean that by looking through the window and reading an important document left near the window that you're aren't stealing info. An unlocked door also doesn't mean you have the right to open it either. Both are wrong.

Conversely, an unpublished website for a govt. agency... and they really thought that was secure? Buahhahhahhahhahha!

An unlocked door also doesn't mean you have the right to open it either.

However, leaving your "secret info" in a public place, like say, the MIDDLE OF THE STREET, does not entitle you to any form of protection.

No door was opened. The internet by definition is PUBLIC. That is the PURPOSE of the internet. If you create a website and put information on it that requires no authentication or other sort of credentials to access it, you have placed said information in the PUBLIC. Otherwise all search engines are repeatedly "hacking" every single site on the web. You know that there's a file called robots.txt that you can use to limit access from spiders. And you know there's something called a "password" to protect sensitive information.

Not only is it inexcusable that a public office would commit such an act of negligence as putting (presumably) sensitive information in a place where it can be accessed by anyone, they compound their ignorance by trying to go after people who stumble across it. There have been a lot of ridiculous things happening in Australia lately, but this one takes the cake.

"The internet by definition is PUBLIC. That is the PURPOSE of the internet."

That being said, then all websites on the web should be deemed public by default, but as we know that is not true. A city is road is public, but the car you drive on it is yours and is private. The poorly secured website that is a private webpage on that public internet highway. The information was not put out there for the public, there was an effort made by the entrant to purposefully look for info. Therefore, no matter how il

That being said, then all websites on the web should be deemed public by default,

What are you, a lawyer? Your view opens the door to endless litigation. Websites on the web ARE public, just as are IP addresses. You can't prevent someone from going to a web-site. However you CAN secure your website from unauthorized access. In the case you propose, it would be a "crime" to commit a typo and end up on the "wrong" page. In my case, just visiting the page won't get you the information I d

Better than a "Windows" analogy - just because a computer has ports and they are open does not mean that by sending a few trojans its way and looking at some porn on another guy's computer means that you aren't totally exploiting user stupidity.

Is an IPOD more valueable than say an insurance card. Hell cars are stolen all the time for the basic components of the car. I know one guy who leaves a car at the airport, because he travels; he's gone for 2 days, and leaves nothing in the car of value. He returns to find the seats stolen out of his car. The seats from the manufacturer. So then what is deemed "valuable", in your country, seems awefully s

Considering all the anti-internet, anti-gaming, anti-pron laws and sentiment that seems to have become so pervasive in Australia recently (much to the delight of/. editors, who have had no shortage of great front page stories from there recently) I propose that Australia must, to protect its citizens from the immoral influence of the internet, REMOVE ITSELF FROM THE INTERNET IMMEDIATELY. It's the only way to be sure.

If an unemployed blogger had done this he would get many years in prison (perhaps, I'm American so maybe this does not apply in Australia). Not only that, but the "newspaper" involved here would pay no attention to the blogger's rights and report the story the way the government prosecutors wished it to be written. The editor of this paper is laughing about the "controversy" and enjoying the attention as he is part of the club who run the country.

In nearly every home in the US, let alone the world, the doorways are locked with $5 pieces of tin and maybe a tiny bolt of metal shoved through some wood. There is little challenge to defeat these locks, either through picking or just jostling the door open or breaking the jamb. Furthermore, it's often the case that the doors are not locked at all, or perhaps a window is left open, or unlocked, and it's just assumed that since it's a second story window, that nobody would try it.

So many of these homes are invade by thieves. And yet, there is no question that those invading were violating a law.

If you enter a public place, rules tend to change. Despite the doors not being locked, I can walk into a grocery store and not feel like I've trespassed because it's a business and that's expected. However, I've often seen unmarked doors in dark corners of large stores, or even doors marked "Employee Only" or maybe an unlabeled staircase leading to who-knows-where. I know I'm not welcome in those areas, and if I entered one and was subsequently accosted for it, should I be shocked?

Now we start talking about computers, and their presence on public networks. To me this is some kind of bizarre combination of the two previous physical scenarios. The computers themselves are viewed as having the privacy rights of the house, where-as their offering and the environment in which they make the offer is more like the store, or even another unmentioned public situation: A public park. So how do we come to the conclusions we make? Why is "security by obscurity" not enough to justify criminal charges to those who would violate it?

Or, if you see things the other way, then I ask why you think that the public accessing a publicly offered machine is somehow unlawful, even if they are walking through those otherwise unmarked doors or looking for out-of-the way staircases?

Just because a person doesn't break a lock to get into a home doesn't mean it's not breaking and entering, and just because a door at a store is unmarked doesn't mean the person's trying to break the law either. In the internet, your computer is knowingly placed in the public arena with open attempts at making it easy for the public to find and access, yet somehow accessing an unadvertised part of that computer is a violation?

I don't think the answers are clear but I do think some of the associated assumptions on both sides are questionable. It's interesting to thing about at least. Who has the responsibility here, is it the site admin's responsibility to batten down every hatch or is it reasonable to expect people not to snoop around? You tell me...

This argument is used all the time, but it really doesn't apply. Leaving your door unlocked is not consent, implied or otherwise, for anyone to waltz on in.

True, but this was more akin to walking in to a library, and finding confidential documents in the general section right next to the Sunday newspaper (AKA, not behind any doors at all). All it took was knowing (or figuring out) where to look. There was no door here (if there was, it would have been in the form of a password or a DNS block (only allowi

It's neither trespassing or breaking and entering. HTTP is a well known method of disseminating information. There are also well known ways of restricting access to information when you are disseminating it over HTTP. You can put it behind a firewall. You can restrict by IP ranges. You can give accounts with passwords to people who need to get it. No responsible organization can publish information on the web, not restricted by a firewall, not restricted by IP (which isn't very good anyway), not restr

If you had read the article you would know this wasn't a case of "guessing" the URL. The article states that they had a source that told them the EXACT url to use, and it doesn't involve a query string at all. This source (probably some lower level person inside the ministry in question) had knowledge of the new site, and what it contained, and they leaked this information to the journalists. This is 100% not hacking.

The URL in question is nswtransportblueprint.com.au. It isn't functioning now, but acco